Author: Ken

Ken Carmack has over 20 years of experience in the technology field and provides onsite services for a broad range of IT needs. A former CPA, Ken knows what a business needs, and can help you meet your financial and productivity goals.
Technology is moving at a dizzying pace, one that most people cannot master on a daily basis. Ken plunged into technology as a student at Wake Forest University in the 1980s, working in the main computer center and various student labs. He later served as the technology officer for a commercial real estate company with three offices in North Carolina.
Ken graduated cum laude from Wake Forest University in 1989 with a B.S. in Accounting and went on to earn his CPA certificate. He constantly monitors new technology developments and regularly takes classes on networking, security and hardware/software support to stay abreast of emerging trends.
In his spare time, Ken enjoys competitive road cycling, mountain biking, running, triathlons and chasing his two daughters around town.

Once you raid the grocery store for break, milk & beer, it’s a good time to protect your electronics and data from natural disasters. Thus, I have listed a few precautionary measures that users should take to protect data and equipment when the weather takes a threatening turn.

Backup your data – this goes without saying, whether weather is threatening or not. ALL of your data should be backed up to protect against data loss resulting from natural disasters, malware attacks, hacks and other threats to your data security. If you backup to a hard drive, make sure you’re storing it offsite in the event of fire or flood. Best practice is to have combination of cloud and local (but offsite) backup.

Unplug your stuff – unplug power cords AND network cables. This applies to computers, televisions, servers, tablets, routers, mobile phones, etc. Just take care to perform a normal shutdown of computers rather than putting them to sleep or hibernation before unplugging from the wall.

Fried circuit board

Use surge protectors – If your equipment must remain “up” during a storm, make sure it’s connected to surge protectors (NOT power strips) or battery backups to protect against mild electrical impulses. While most surge protectors will not protect against a direct hit, they should absorb mild jolts. Even if your electronics are plugged into a surge protector, though, you should still shut down your devices and disconnect the surge protector from the wall when thunderstorms are near.

Charge phones, laptops & tablets BEFORE the heavy stuff arrives – as long as cell towers are unaffected, you should be able to communicate with the outside world even during local power outages.

People frequently ask me whether it’s best to put their computers to sleep at night or shut down completely. I typically put my machines to sleep at the end of the day so that they start up quickly in the morning. However, during summer months when thunderstorms can develop rapidly or whenever foul weather is imminent, I always shut my equipment down and pull the power and data plugs for extra peace of mind.

Finally, don’t wait until storms are on the approach to take these steps. If you’re leaving for the weekend, go ahead and take precautionary measures to protect your gear. If you’re already on the road and your devices are connected to surge protectors, hope for the best.

Remember, an ounce of prevention can be the difference between protecting your assets/data and scrambling to recover it!

Share this:

I have a commercial real estate client that is onboarding to Yardi from Quickbooks and has asked me to manage the process. As such, I am looking for a contractor who has experience in Yardi, specifically in the accounting function, to assist with the process. This is a fairly small development and property management company with a portfolio of about 10 properties, 5 of which are single tenant. They have roughly 25-30 leases, all of which are abstracted but I expect that we will need to review and verify the abstracts.

The project will include:

– Review Chart of accounts for all properties for consistency and make adjustments as necessary

Ideally, the contractor has significant experience with Yardi‘s accounting function. The perfect contractor is someone who is seeking part time work and a fairly flexible schedule. I expect that much of the work can be completed remotely, but some time onsite (Triangle location) will be required.

Please let me know if you are aware of potential contractors and I will reach out to them with project specifics.

Joe: So I gave him my credit card and he cleaned up the viruses and offered 2 years of support for $400. Is this OK?

Wow! Nailed again. I have had this exact conversation a dozen or more times with clients and friends, each of whom have received shiny brand new credit cards or checking accounts as a result. That’s right. Not only is your computer security compromised, you have also given a scammer access to your credit card or checking account.

This is a very common scam and has various attack vectors. For a while, the most common approach was via phone call. I used to receive a couple of calls a week from overseas callers claiming to be from Microsoft stating that they had noticed dangerous virus activity on my computer. I typically strung them along long enough to find my trusty sports whistle, which I blew loudly into the phone. This usually resulted in a prompt dropped call.

I also tried providing access to a virtual machine just to see what they would do but they usually got wise to me when I strung out the call. Here’s a very entertaining fake support “technician” that called a seasoned security researcher at Malwarebytes who turned on his recorder and had some fun with the caller. This is a very long audio session, but is worth your time. Heck, some readers will recognize the script from their personal experience. Ultimately, he angered the caller, who attempted to delete stuff off of his computer which is yet another reason that you should simply hang up on these guys.

My first exposure to this type of scam was a very bright friend of mine who ended up with 2 compromised machines and a new credit card!

Another attack approach is via email. However, the most common vector today seems to be via “drive by attacks” where the user either clicks a link, such as an ad, or clicks on a rogue search result and lands on a malicious website. For example, say you search for WRAL and the top result is wral.net (a bogus link), and you inadvertently click on it, instead of WRAL.com. Instead of seeing today’s headlines you get a gnarly web page:

These are extremely intimidating alarms, even for seasoned web users. Not only do they lock the browser, preventing you from closing Chrome, Firefox, Safari, or IE, but they also have a recorded message that seemingly cannot be silenced. The warning purports to come from Microsoft or another trusted tech company and provides a support phone number. The user is warned NOT to close the browser without calling the number, as bad things will happen. The secret here is that closing the browser will swiftly defeat the scam. If you cannot close the browser by conventional methods or by using Task Manager, simply save and close your work in Word, Excel, AutoCAD, etc. and then reboot your computer. This solves the problem if you don’t navigate back to the same rogue website.

Now, once the computer reboots, you should run a virus scan using whatever virus protection suite is installed on your computer. As a safety net, download and run Malwarebytes just to be sure.

These scams are more bark than bite, unlike the ransomware attacks that have monopolized headlines over the last year. But, they are extremely profitable for hackers and a massive headache for victims.

Remember: Don’t be intimidated by these scary pop-ups, and never, never, never give your credit card or banking information to random callers. When in doubt, call your trusted tech provider as we have seen these scams time and time again.

Share this:

News of a new vulnerability surfaced this week in an issue that will affect ALL users that access the internet using WiFi, whether on your laptop, desktop, tablet, phone, etc. The vulnerability, named KRACK, is a weakness identified in the WPA2 protocol which, until now, has been deemed virtually bulletproof. The WPA2 wireless protocol is configured on nearly every single home wireless device and a vast majority of small and medium business wireless devices.

The vulnerability allows hackers unauthorized access to your network without the WiFi password and can allow strangers to eavesdrop on your wireless connection, obtain passwords, credit card info, etc. Now, with that said, as long as you’re accessing secure websites (i.e. those that show https:// in the URL) your information should be safe.

The good news is that the hacker needs to be physically close to the wireless network that you’re using to exploit the vulnerability. Thus, public WiFi is inherently more dangerous than your home’s wireless. The bad news is that virtually every single WiFi device that you have is using WPA2 to secure your connection. Thus, everyone needs to pay attention to this problem.

This is mostly a client-side attack, meaning that it’s most important to update your wireless endpoints than your wireless router. Thus, keep Windows and Mac OS X updated on your laptop/desktop; download/apply updates on Android phones and iPhones, iPads and other tablets as well as readers such as Kindles. While all of these endpoint makers are scurrying to update their software, manufacturers of wireless routers and access points are in the process of pushing out updates, many of which must be manually applied. Check the BleepingComputer link for updates on your equipment.

How to Protect Yourself:

The best way to protect yourself is not breaking news, as we’ve heard this for years: make sure that you install all updates and security patches on all of your devices. Many manufacturers have already pushed out patches. In fact, Windows was patched in Microsoft’s October 10th Patch Tuesday release. Other devices are reliant on their manufacturer’s software release schedules. For a list of updates by major manufacturers, take a look at BleepingComputer’s list.

Other steps you can take:

Avoid public WiFi at all costs: this is nothing new, but it is even more imperative with the KRACK vulnerability. I have not used public WiFi for years, opting instead to use my Verizon hotspot. Public WiFi includes coffee shops, hotels, free municipal WiFi, etc.

Only connect to secure sites: as discussed above, avoid sites that begin with http:// and NEVER EVER enter your credit card info, social security numbers, passwords or any other sensitive information on websites that are not secure. And if you encounter a website that shows a red slash through https://, close the page and check back later.

Continue using the WPA2 wireless security protocol: despite the vulnerability, it’s still the safest security profile for home and small business users and should be patched very quickly.

Use a wired connection if you can: if your wireless router or switch is accessible and you can connect you laptop via ethernet cable, do this until the WPA2 protocol is fixed. Devices that are connected via ethernet are not susceptible to this problem. This is not always convenient, but it’s better to be safe than sorry.

Use a VPN if possible: if you absolutely must use public WiFi, connect to your workplace using a VPN and send all of your internet traffic through the secure tunnel.

Changing your WiFi password will not help, unless your password is weak to begin with. In the case of a weak password, strengthening that is never a bad idea.

Updating your wireless router’s firmware is not a simple task, so contact me or your network administrator for assistance in installing these updates.

In summary, there’s really nothing new here needed to protect yourself as long as you’re keeping your systems/devices updated, avoiding public WiFi, only accessing sensitive information on secure (https://) sites, etc. As long as you remain vigilant and get to know your technology a little better, you should be able to safely navigate the world wide jungle.

Stay safe out there!

****************************************************************************************************Please feel free to pass this along to friends and co-workers.

Share this:

I attended a Technology Roundtable last week and one of the topics was “What keeps you awake at night?” My immediate response was “Ransomware”. Two days later, news broke about the massive ransomware attack dubbed “Wanna Cry” which was wreaking havoc on computers and servers around the globe.

This is truly the kind of attack that keeps IT professionals up at night.

Many viruses, rootkits, and malware are annoyances and can be removed by tools that are readily available on the internet. While some can be removed pretty quickly with killer apps like MalwareBytes, others may be more tenacious and require a recovery of your files and reinstallation of your operating system, a process that will take hours or days and cost a pretty penny. However, at the end of the day, all of your files can be safely restored either from your hard drive or a recent backup (you ARE backing up, right?)

The most devastating malware affecting users today is different. It’s called Ransomware and it will ruin your day, week AND year.

Ransomware has been around for a decade or more. You may recognize some of the variants, including CryptoLocker, Locky, and most recently Wanna Cry .

Here’s what it does:

The infections search for and encrypt important files on your computer using common encryption algorithms. When the file encryption process completes, the program displays a payment message prompting the user to send a ransom of $300+ to purchase the decryption keys to recover your files. The ransom frequently increases with time until you pay up. Failure to pay the ransom results in deletion of your encryption key and permanent file loss.

Ransoms must be paid using MoneyPak vouchers or Bitcoins which are not easily traceable by law enforcement to an organization or individual. Once you send the payment and it is verified, the program will send you the key to decrypt the files that it locked. (thanks to Lawrence Abrams on BleepingComputer.com for this summary)

How you Become Infected with Ransomware:

The infection is typically spread through infected email attachments. In the past, the emails have posed as customer support notices from Fedex, UPS, DHL, etc. and the attachment was typically named Form_102213.pdf or Form_102213.pdf.exe (or some variant of these), but might also be disguised as a ZIP or other file type. A key difference between prior infections and Wanna Cry is that once a computer was infected on a company network, it exploited a vulnerability in Windows that allowed it to spread from computer to computer on local networks. Thus, it had a devastating impact within large organizations.

What if you get infected:

The first thing to do is disconnect your computer from the internet and power it off– QUICKLY! This will prevent encryption of additional files. If you’re working wirelessly, disable wireless on your PC. If connected via Ethernet cable, pull the plug. Next call your IT pro and start deciding how important your encrypted files are to you. Also, figure out where your most recent backup is and how recently it ran. Most cloud-based backup services provide file versioning for a period of time. For example, Carbonite saves previous versions of files for 3 months which could be your saving grace.

Removal of the malware is fairly straightforward. However, without the decryption keys it is absolutely impossible to decrypt your files. Thus, if you cannot recover the files from a recent backup and need them restored, your only option is to act quickly and send the ransom money. There is currently no tool available (or IT Pro) that can decrypt your files.

How to protect yourself:

1. Be vigilant about opening email attachments – never open an attachment originating from unknown/unexpected sources (i.e. if you’re not traveling anywhere, don’t open a travel itinerary from Delta!). Also, be careful when opening unusual attachments from trusted sources as their email may have been hacked. EDIT: I rarely open email attachments even from known senders unless I am absolutely expecting it (i.e. a friend/client has explicitly stated that they are sending over an Excel spreadsheet on Monday — i will probably open this; however, if I receive an attachment from a friend that I’m not expecting, I will text or call them to verify its authenticity. NEVER send an email to verify the doc). Further, do not open unexpected file shares through DropBox, Google Drive or other sync services unless you expect them. Even then, proceed with caution.

2. Keep all programs updated and Windows Updates applied. The recent Wanna Cry ransomware exploited a security vulnerability in Windows. Microsoft issued a patch for the issue in March, so if you’re keeping Windows updated then you should be safe. Windows 10 forces download/installation of updates, so unless you have “hacked” Windows 10 to deny the updates, you should be safe. In fact, most accounts report that Windows 10 was not targeted by the most recent attacks.

4. Backup, backup backup… and then Backup! to an external hard drive ($85 for 1TB) and disconnect it from your computer or use an online service that provides versioning. I am a partner/reseller for BackBlaze and can help you get this up and running quickly. When all other protections fail, a good/current backup will get you back in business without having to pay up to the bad guys!

5. Be very careful about free software you download from the internet. Many seemingly useful programs such as PDF writers or video downloaders come with malicious “baggage”.

6. Make sure you’re running System Restore on your PC. This can help recover previous versions of files that have been encrypted. While this is not a fail safe, it’s still a good idea to make sure this feature has not been disabled in Windows.

7. Apply the Software Restriction Policies outlined in this article using Local Security Policy or Group Policy (domain computers) to disable the malware’s ability to execute on your system. This is fairly advanced, so please let me know if you want assistance applying these policies to your PC. Also, keep in mind that these policies will block the malware in its current form. As hackers modify the code to install from another location on your computer, these policies will not protect you.

8. Train your users to be vigilant about the emails they open, the links they click and the email attachments they open.

Is There any GOOD News?

As a matter of fact, yes. Most of the recent attacks occurred overseas, mostly European computers and servers. Further, a security researcher reviewed the code during the attacks and located/activated a “kill switch” which dramatically slowed the spread of Wanna Cry. However, it was slowed, not stopped. The BAD news, though, is that this was a variant on a common malware attack pattern. As long as there is money to be made in malware there will be plenty of future attacks to come. AND, as any user of Windows knows, there are plenty of security holes in the operating system as evidenced by the nearly constant interruption of Windows Updates.

Share this:

If you live in the southeastern United States, you’re undoubtedly bracing for a stormy Labor Day weekend, courtesy of tropical storm Hermine. Where forecasters originally called for central and eastern North Carolina to take a fairly substantial hit, the storm’s projected track has moved eastward and we’re expecting a wet holiday weekend with a less direct storm impact.

With that in mind, it’s a good time to think about protecting your electronics and data from natural disasters. Thus, I have listed a fewl precautionary measures that users should take to protect data and equipment when the weather takes a threatening turn.

Backup your data – this goes without saying, whether weather is threatening or not. ALL of your data should be backed up to protect against data loss resulting from natural disasters, malware attacks, hacks and other threats to your data security. If you backup to a hard drive, make sure you’re storing it offsite in the event of fire or flood.

Unplug your stuff – unplug power cords AND network cables. This applies to computers, televisions, servers, tablets, routers, mobile phones, etc. Just take care to perform a normal shutdown of the computer rather than putting it to sleep or hibernation before unplugging from the wall.

Use surge protectors – all of your valuable electronics should be connected to surge protectors (NOT power strips) or battery backups to protect against mild electrical impulses. While most surge protectors will not protect against a direct hit, they should absorb mild jolts. Even if your electronics are plugged into a surge protector, though, you should still shut down your devices and disconnect the surge protector from the wall when thunderstorms are near.

People frequently ask me whether it’s best to put their computers to sleep at night or shut down completely. I typically put my machines to sleep at the end of the day so that they start up quickly in the morning. However, during summer months when thunderstorms can develop rapidly, I frequently shut my equipment down and pull the power and data plugs for extra peace of mind.

Finally, don’t wait until storms are on the approach to take these steps. If you’re leaving for the holiday weekend, go ahead and take precautionary measures to protect your gear. If you’re already on the road and your devices are connected to surge protectors, hope for the best.

Remember, an ounce of prevention can be the difference between protecting your assets/data and scrambling to recover it!

If you want a faster, more stable and more secure browser, install and use Google Chrome. Other options include Mozilla Firefox, Apple Safari and the little-known Opera browser. Don’t know which to choose? Download them all and see which one you like. I have used Chrome exclusively for years and find it to be fast, stable and secure. Plus, it’s built by Google so naturally works well with all of my Gmail and Google services.

If you’re still hanging on with Windows XP, you’re stuck. Microsoft is feverishly working on a patch for this vulnerability for Windows Vista and Windows 7 users. However, following XP’s support sunset on April 8, 2014, there’s no relief in the future for XP holdouts.

Your best bet is to dump Internet Explorer for good and move on to a “big boy” browser!

Be safe out there.

Share this:

By now you have heard news about the Heartbleed / OpenSSL vulnerability that is sweeping the internet. Since getting wind of the problem many programmers, website owners, and other security professionals have been working around the clock to secure their websites.

It’s still very early in the process and as of 4/10/2014 many operators have not yet addressed publically whether their sites were safe or affected. Lists are popping up that show safe and vulnerable websites. However, the status of the website is as of a snapshot in time. Thus, if a website operator was vulnerable but patched their website on Wednesday morning and the test was run on Wednesday afternoon, they may give you a false sense of security. Thus, it is not safe to rely on these lists to assess whether or not your accounts were affected since this vulnerability has been present for 2 years.

What is the issue?

This is not a virus or a hack. This is a vulnerability in the programming code that allows intruders to get through the security “wall” that protects many websites. This hole allows hackers to compromise the digital keys used to identify websites and encrypt the info. It also provides a look at unencrypted data as it passes over the internet onto web servers.

Think of it this way: You moved into a new house 2 years ago. You always lock your doors whether you’re home or away and have 24/7 alarm system. However, while you were painting your front door, you noticed a secret latch on the outside that releases the locks and allows strangers to walk in your front door. While in, they can grab your wallet, social security numbers, usernames, passwords, etc. as if they have a key to the house. There’s no way to tell if anyone has accessed the house, but the opportunity has always been there. Thus, the problem is not “backdoor” access to secure websites… hackers can waltz right in the front door.

I have told people for yearsnever to log into a website, provide credit card numbers or any other sensitive information unless the URL address is preceded by https://. The https://, the padlock and the green color indicate that several things have happened behind the curtains, including:

Verification that the website is really who they say they are – your browser verifies digital certificates to confirm that www.gmail.com is really Gmail.

Encrypts the data as it passes across the internet – thus, if someone intercepts your username, password and credit card as it passes across the internet to a web server, it’s scrambled and completely useless to a hacker.

Unfortunately, this vulnerability compromised that security, leaving your passwords, usernames & credit card numbers vulnerable on affected web servers. With that said, you should still follow these rules going forward. They just have not provided the security that we all expected for the last 2 years.

Am I affected?

At this point, it’s not entirely clear which sites are affected – the development is so new that many web site owners are still scrambling to assess and apply patches. While you can check the lists referenced above, they are as of a point in time. Your best approach is to either check in with your online providers (banks, shopping sites, email providers, etc) to find out whether they were affected, whether they have corrected the problems and what course of action you should take to protect yourself.

Is this a virus?

NO. Despite the subtitle of an Associated Press news article I read Wednesday morning, this is not a virus, but a security hole. According to a Google search

Virus: a piece of code that is capable of copying itself and typically has a detrimental effect, such as corrupting the system or destroying data.

Thus, running antivirus software or active scans will not detect or remove the problem.

What should I do?

The first step in securing your accounts is to change passwords for all of your online accounts. But don’t jump out there and do it yet. As of this writing (7AM EST on 4/10/2014) many websites have not applied the patches to OpenSSL so your changes would be made in vain.

You should already be in the habit of changing your passwords to critical sites every 3-6 months. You’re not? Neither is the rest of the world. As such, use this as a wake-up call to freshen up your passwords. Be sure they’re complex and use the following guidelines as minimum:

Do not use your name, your user name, family names or familiar numbers, like your birthdate or home address.

Avoid dictionary words.

Use a passphrase instead of a password.

Passwords should be at least 8 characters long.

Employ characters from at least 3 of the 4 following groups:

Uppercase letters;

Lowercase letters;

Numbers;

Symbols;

A brief list of the internet’s most popular sites and whether or not they were affected is available here.

As always, feel free to contact me if you have questions about this problem. If you want additional information on the bug, check out these articles:

Share this:

If you saw me right now, you would probably ask if I had just seen a ghost. After reading several articles about a new extremely dangerous and destructive form of ransomware, I feel like I’m facing Freddy Krueger!

This is the kind of attack that keeps IT professionals up at night.

Most viruses, rootkits, and malware are annoyances and can be removed by tools that are readily available on the internet. While some can be removed pretty quickly with killer apps like MalwareBytes, others may be more tenacious and require a recovery of your files and reinstallation of your operating system, a process that will take hours or days and cost a pretty penny. However, at the end of the day, all of your files can be safely restored either from your hard drive or a recent backup (you ARE backing up right?)

This one is different. It’s called CryptoLocker and it will ruin your day. Here’s what it does:

CryptoLocker is a ransomware program that was released around the beginning of September 2013. This infection will encrypt certain files using a mixture of RSA & AES encryption. When it has finished encrypting your files, it will display a CryptoLocker payment program that prompts you to send a ransom of either $100 or $300 in order to decrypt the files. This screen will also display a timer stating that you have 96 hours, or 4 days, to pay the ransom or it will delete your encryption key and you will not have any way to decrypt your files. This ransom must be paid using MoneyPak vouchers or Bitcoins. Once you send the payment and it is verified, the program will decrypt the files that it encrypted. (thanks to Lawrence Abrams on BleepingComputer.com for this summary)

How do you become infected with CrptoLocker:

Currently, the infection is spread through emails pretending to be customer support notices from Fedex, UPS, DHL, etc. and the attachment is typically named Form_102213.pdf or Form_102213.pdf.exe (or some variant of these), but might also be disguised as a ZIP or other file type.

What if you get infected:

The first thing to do is disconnect your computer from the internet – this will prevent encryption of additional files. If you’re working wirelessly, disable wireless on your PC. If connected via Ethernet cable, pull the plug. Next call your IT pro and start deciding how important your encrypted files are to you. Also, figure out where your most recent backup is and how recently it was completed. Most cloud-based backup services provide file versioning for a period of time. For example, Carbonite saves previous versions of files for 3 months which could be your saving grace.

Removal of the malware seems to be straightforward according to the articles. However, without the decryption keys it is absolutely impossible to decrypt your files. Thus, if you cannot recover the files from a recent backup and need them restored, your only option is to act quickly and send the ransom money. There is currently no tool available (or IT Pro) that can decrypt your files.

How to protect yourself:

1. Be vigilant about opening email attachments – never open an attachment originating from unknown/unexpected sources (i.e. if you’re not traveling anywhere, don’t open a travel itinerary from Delta!). Also, be careful when opening unusual attachments from trusted sources as their email may have been hacked.

2. Be very careful about free software you download from the internet.

3. Backup to an external hard drive ($85 for 1TB) and disconnect it from your computer or use an online service that provides versioning.

4. Keep all programs updated and Windows Updates applied.

5. Make sure you’re running System Restore on your PC. This can help recover previous versions of files that have been encrypted.

6. Apply the Software Restriction Policies outlined in this article using Local Security Policy or Group Policy (domain computers) to disable the malware’s ability to execute on your system. This is fairly advanced, so please let me know if you want assistance applying these policies to your PC. Also, keep in mind that these policies will block the malware in its current form. If the hackers modify the code to install from another location on your computer, these policies will not protect you.

The above tips can help mitigate the risk but the best tip is not to open suspicious files. Tip #6 is the best available protection in the event that you accidentally open a file and obtain the infection in its current form.

Share this:

In the past couple of months, I have spoken with several clients that have experienced serious security breaches. One client lost $15,000 when it was transferred from her checking account to someone else’s account. Another person’s AOL email account was hacked by a stranger. The hacker sent messages from the compromised account to the victim’s financial advisor and attorney requesting that they cut checks and mail them to an address in Ohio. Several other friends, family and clients reported that their email accounts were hacked and they had spammed everyone in their address book. While the missing money is still being investigated by the bank and law enforcement authorities, the other infractions were enabled by users’ lack of attention to basic security precautions. The owner of the AOL account admitted that he had used the same simple password for close to a decade, acknowledged the error of his ways, but was dumbfounded that someone had actually hacked their way in and attempted to steal from him. These are not stories I read about on the internet. They are friends, family and clients right here in my community.

I encounter simple passwords on a daily basis. Things like password123 or kenspassword provide a minor speed bump for a determined hacker that wants access to sensitive information. I discussed creating complex passwords in a blog entry last year and encourage you to read it.

So how do hackers obtain passwords and access accounts? While some passwords are easily guessed, others are hacked using “brute force” methods – software that repeatedly guesses passwords until an account is unlocked. Still others are found written down on a sticky note and “hidden” on your computer monitor or desk for the world (and cleaning people) to see.

Sure, there are the “typical” ways that passwords are obtained by unauthorized users. But how safe are you when accessing your accounts on public networks, such as free wi-fi in coffee shops and bookstores? There are a variety of free tools available on the internet that allow snoopers to monitor wireless channels, watching what their neighbors are viewing and collecting passwords, account names and a whole host of other useful information. As illustrated in this recent PC World article, it’s easier than ever for even a novice to gather very damaging information over public wi-fi.

So how do you defend against these criminals? Here are a few pointers:

Never log into your accounts on public wi-fi unless the website is SECURE**. This includes all email accounts, online banking, Amazon, or any other service that might store your credit card numbers. Also, beware of logging into your email account over public wi-fi, especially since your email account can be used to reset passwords for other accounts. This also includes using MS Outlook. If Outlook is not set up to use a secure connection, then your password is being transmitted in clear text, meaning that the kid in the corner of the coffee shop has access to your email account. (Yes… even if you don’t have to enter a password to get your Outlook email, one is being sent to your mail servers behind the curtains).

Make sure that your connection stays encrypted for the entire session, not just when you log in. Various websites and email services allow you to tweak this setting. For example, Gmail includes a Browser Connection option, “Always use https”.

If you have access to a VPN at work, log in to that before surfing the web on a public network.

BYOD (bring your own device). If you are frequently on the go and need access to the internet, pick up a portable hot spot. I just got one from Verizon for $0 upfront and $20/month. This way, I always have access to the internet and can connect up to 10 devices.

When in doubt, just wait until you get back home or to the office to conduct your banking, check email or buy that latest book from Amazon.

As a side note, I NEVER conduct financial transactions on someone else’s internet connection (coffee shops, hotels, or cousin Tommy’s house). I also NEVER check my email on someone else’s computer. You never know what malware or keylogger is lurking on someone else’s machine.

** How do you tell if a website is SECURE? The address (URL) is preceded with https://. If it is http:// (without the “s”), then you might as well stand up in the middle of the coffee shop and announce your login credentials. A SECURE connection (https://) indicates that a lot is going on behind the scenes. Your browser has verified that the website is who it says it is (yes, this is really Bank of America, not Vladmir’s fake banking site). It also indicates that anything you transmit across the internet, such as passwords, user names, and credit card numbers are encrypted, or scrambled. Thus, even if Poindexter intercepts the information, it is worthless to him.

Just one more thing: If you are using wireless at home and have not set up security on the connection, then everyone on your street can enjoy a free ride on your high speed connection. Not only that, but your data is subject to the same snooping vulnerabilities described above. Your wireless router should be set up with WPA or WPA2 security at a minimum. Wireless router manufacturers have made it easier than ever to complete your initial setup, so it’s worth taking the time to do it right or call someone that can help you.

So take a few minutes to assess your online habits and IT security, whether you’re surfing from the office, from home or on public wireless. If all of this is just too much to digest, give us a call and we can help you navigate these dangerous waters before you surf.